Josue Ledesma, September 2023

Ransomware Response Plan: What Companies Should Do After an Attack 

Ransomware attacks are some of the most devastating attacks and unfortunately, extremely common these days. In Q2 of 2023 alone, ransomware has already increased over 70% compared to the three months prior. These attacks continue to be extremely lucrative for threat actors, with the average ransomware payment reaching 4.7M in 2022, which is likely why the attacks continue to increase.  

The ransomware payment isn’t even the worst part of an attack. The time lost during a ransomware attack, the resources diverted to address the issue, and the potential long-term damage to a company’s brand reputation could be a significantly long-lasting cost than any ransom payment. 

To offset and minimize the impact of a ransomware attack requires a swift and effective response outlined in a robust comprehensive cybersecurity strategy. Having a solid ransomware response plan in place is necessary, especially given the prevalence of these attacks. In this article, we’ll give you a step-by-step guide on what you should do if your organization is hit with a ransomware attack. 

5 Steps Organizations Should Take After a Ransomware Attack

Step 1: Disconnect from the Source 

If you’re able to detect which compromised device or server is infected with ransomware, disconnect it from your other systems, devices, and network immediately. This can prevent the ransomware from spreading to your other devices and infecting your entire network. 

By isolating the infected devices or systems, you’re stopping the attack from fully compromising your network. You may even prevent the malware from reaching your most essential and sensitive assets, preventing business disruption or a downtime scenario. This will also make any next steps you take much more effective. 

Step 2: Assess the Situation 

Once the ransomware is contained, it’s crucial to identify the ransomware that has breached your network. Different types of ransomware strains have unique characteristics and may be easier to recover from than others. 

Depending on the strain, there may be available decryption tools that can easily get any locked files back. If there is no known decryption tool, the type of strain is still important to know as there may be additional contingency measures that an organization can take to mitigate any damage. 

Step 3: Communicate with Leadership 

Once the attack is contained enough, it’s time to start moving as an organization. You should have a plan in place that details what departments, stakeholders, and top executives are part of the incident response strategy. If not, this is a good place to start thinking about that. 

Reach out to all affected department heads then work with legal, PR, and potentially HR, to develop effective internal and external communication and response plans. By having everyone ready to take action (ideally in a proactive way), your organization will be mobilized for a swift response, ultimately reducing the impact and cost the ransomware attack will have. 

Step 4: Determine Response Strategy 

Often the initial decision to make when faced with a ransomware attack is whether or not to pay the ransom. While the decision is ultimately up to leadership and depends on factors such as the type of data affected, industry, and how disrupted your organization is, it’s highly recommended you don’t pay the ransom and find other ways of recovery. 

Paying a ransom can encourage the threat actor to carry out more attacks (potentially against your organization again). Unfortunately, there is no guarantee that paying a ransom will get your data back. 

Beyond this decision, your ransomware response plan should include all relevant stakeholders, departments, and any potential third parties (such as forensic investigators and/or incident response retainers). This will help you completely eliminate the threat, find out what risk vector was exploited, put in processes and/or policies to remove the risk vector (if possible), and ensure that your employees and any potentially affected external parties are aware of what happened. 

Step 5: Restore Data and Patch Up Vulnerabilities 

Once you’ve eliminated the threat from your network, you can work on restoring any data that was affected, leverage any backups, and tackle post-incident analysis. 

This includes investigating exactly how the ransomware entered your organization, identifying the security gaps that could’ve led to the compromise, assessing how to patch or fix the vulnerability, and testing whether the fix is actually sufficient via penetration testing. 

There are a number of ways ransomware can get into your system. It could be via a third-party, an employee clicking on a phishing email, or through exploiting a device or software vulnerability. Knowing exactly how your network was compromised will help prevent future attacks. 67% of organizations who suffered a data breach will suffer another within 12 months and it’s largely because the same vulnerability that led to the attack isn’t addressed. Having the right response strategy can help prevent a repeat offense. 

Why Consider Defense in Depth? 

To have the right cybersecurity strategy, just having a singular line of defense is not enough. A layered, comprehensive cybersecurity strategy that adopts the Defense in Depth approach is much more effective. 

Defense in Depth (DiD) incorporates preventative, protective, and proactive detection and response measures that not only reduce the risk of a security incident or compromise but have the tools, processes, and strategy in place to recover quickly in case of a successful breach. This multi-tiered approach ensures that if one layer is compromised or breached, the organization still has resources in place to address the attack, providing redundancy and enhancing the overall security posture of an organization. 

The layers in a DiD strategy include: 

  • Physical controls: This can include keycard verification or security cameras that monitor for any physical intrusion into an office or a physical server storage location. 
  • Technical controls: These are best known as security tools and solutions such as antivirus software, advanced endpoint detection, and response tools, as well as more sophisticated systems and platforms such as SIEMs, identity and access management platforms, and cloud application security platforms. 
  • Administrative controls: This addresses the human elements and refers to policies, processes, and procedures such as risk assessment, penetration testing, and cybersecurity awareness training that aim to limit employee exploitation. 

Data breaches and security incidents, particularly ransomware attacks, are inevitable and organizations who only focus on prevention are likely to suffer most when an attack does occur. By adopting this Defense in Depth approach, you’re addressing multiple exploitation points that could lead to a ransomware attack while having the resources and policies in place to address the attack quickly in case it does happen.  

CryptoSpike to the Rescue! 

As organizations look to build their Defense in Depth approach, selecting the right tools is important to ensure they have the capabilities to properly defend, detect, and eliminate a ransomware threat. 

ProLion’s CryptoSpike is designed to be the last-chance tool to help organizations recover their files and data in case of a storage system ransomware attack. The tool detects unusual activity in your file system in real time and blocks ransomware attacks while providing single-file restoration capabilities. These are more reliable than traditional backups and help pinpoint what data needs recovery, allowing for a quick and speedy recovery. 

To learn more about how you can protect your organization in the face of a ransomware attack, download our white paper here. 

About ProLion

ProLion offers powerful data protection solutions that safeguard critical storage and backup data, on-premises or in the cloud. From ransomware protection that detects threats in real time to data transparency, our industry-leading solutions ensure your storage system remains secure, compliant, manageable, and accessible around the clock.